DFARS: Assessing Contractor Implementation Of Cybersecurity Requirements

On September 29, 2020, the Department of Defense published an Interim Final Rule on Assessing Contractor Implementation of Cybersecurity Requirements. The rule will affect an estimated 220,000 DoD contractors. It calls upon every DoD contractor to conduct a self-assessment against the 110 security requirements NIST Special Publication (SP) 800-171 and submit their score to DoD through the Supplier Performance Review System (SPRS). A new contract clause imposing this requirement will appear in solicitations and other contract actions on or after November 30, 2020.

Using a DoD Assessment Methodology, the Defense Contract Management Agency (DCMA) can conduct more demanding “Medium” or “High” assessments. In addition, the Interim Rule brings into operation the Cybersecurity Maturity Model Certification (CMMC) initiative. As early as November 30, 2020, DoD will have the authority to include in solicitations a requirement that a company have certification at a specified CMMC “Maturity Level” to be eligible for contract award.

While this will roll out slowly at first, CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items), starting on or after October 1, 2025.

RJO is widely recognized for its expertise in cybersecurity and supply chain requirements as affect DoD and other government contractors. Our new Of Counsel, Alix Tindall Webb, led the preparation of this Summary of the Interim CMMC Rule, assisted by Associates Deborah Norris Rodin and Eleanor Ross, with oversight by shareholder and Practice Group Co-Chair Bob Metzger.